The best way to choose an IT support company is to put every shortlisted provider through the same set of questions and compare the answers side by side. A handful of things genuinely separate a good MSP from a bad one: response times in writing, real security certifications, where the helpdesk staff actually sit, fair contract terms you can leave, and proper data protection. The ten questions below are the ones we would ask if we were buying IT support ourselves.
Switching providers is disruptive, and most contracts run for a year or more, so it pays to do the due diligence properly the first time. Here is what to ask, and which answers should reassure or worry you.
1. What are your guaranteed response and resolution times?
Every provider will tell you they are responsive. Ask them to put numbers in the contract. A proper Service Level Agreement (SLA) sets out how quickly they will respond to a ticket and, ideally, how quickly they aim to fix it, broken down by priority. A server outage stopping ten people working is not the same as a single password reset, and the SLA should reflect that.
Watch the gap between response and resolution. "We will respond within an hour" can mean an automated email confirming they have received your ticket. Ask what response actually means, what happens when they miss the target, and whether the SLA is backed by service credits or just goodwill.
2. Where are your engineers and helpdesk based?
This matters more than people expect. An offshore helpdesk might shave a little off the price, but you can lose out on plain-English communication, time-zone overlap and, crucially, the ability to get someone on site when a remote fix is not enough. A failed switch, a flooded comms cupboard or a workstation that will not boot needs hands on the hardware.
For a business in Berkshire or the Thames Valley, a provider within an hour's drive can be on site the same day. Ask where the helpdesk sits, where the field engineers are based, and what their typical on-site response time is for your postcode.
3. What security certifications do you hold?
Your IT provider will have administrator-level access to your systems, so their own security becomes your problem. Two certifications are worth asking about in the UK:
Cyber Essentials / Cyber Essentials Plus - the NCSC-backed scheme covering five core technical controls. Plus involves an independent audit rather than self-assessment. From April 2026 the scheme makes multi-factor authentication effectively mandatory wherever a cloud service offers it, so a current certificate tells you the provider is keeping pace.
ISO 27001 - an international standard for managing information security across the whole organisation, not just five controls. It is more involved, and signals a mature, audited approach to security.
A good MSP should hold Cyber Essentials at minimum and be able to help you achieve it too. If they cannot keep their own house in order, they have no business looking after yours.
4. Will you sign a Data Processing Agreement?
Under UK GDPR and the Data Protection Act 2018, a supplier handling personal data on your behalf is acting as a data processor, and you are legally required to have a written contract in place. The ICO sets out exactly what that Data Processing Agreement (DPA) must cover: that they only act on your documented instructions, keep the data secure, help you respond to data breaches and subject access requests, and return or delete your data when the contract ends.
Any competent provider will offer a DPA without blinking. If a prospective supplier looks blank when you mention it, treat that as a serious warning sign. It suggests they have not thought about their own compliance, let alone yours.
5. Is your support proactive or reactive?
Reactive support waits for you to ring up when something breaks. Proactive support monitors your systems, applies patches and updates, watches your backups and catches problems before they turn into outages. The difference shows up in how often things go wrong in the first place.
Ask what they monitor, how often patches are applied, and what they do behind the scenes that you would never notice as a user. A provider who only appears when you log a ticket is selling you a fire brigade, not IT management.
6. Who will be our named contact, and will we get strategic reviews?
Day-to-day tickets can go to a shared helpdesk, and that is fine. But you should have a named account manager who knows your business, plus a regular review (quarterly, or at least twice a year) to look at what is coming: ageing hardware, licence renewals, security gaps, the PSTN switch-off on 31 January 2027 if you still rely on analogue lines. Good IT support is partly about planning, so you are not lurching from one emergency to the next.
7. How is your pricing structured?
The cleanest model for most SMEs is per user per month, covering a defined set of support and services so your bill is predictable and scales as you hire. Ask exactly what is included and, more to the point, what is not.
The thing to flush out is surprise fees. Some providers quote a low monthly rate, then bill separately for anything that looks like a "project" - a new starter, an out-of-hours server reboot, an office move. Ask for examples of what would fall outside the monthly fee, and what those typically cost.
8. Can we speak to clients like us?
Ask for two or three references from businesses of a similar size and, ideally, sector. An accountancy practice, a care provider and a manufacturer have very different needs, and someone who understands Making Tax Digital, the NHS DSP Toolkit or industrial networks respectively is worth more than a generalist. Actually phone the references and ask the awkward question: what happened the last time something went badly wrong? Check independent reviews too, not just the testimonials on the provider's own website.
9. How long is the contract, and how do we leave?
There is nothing wrong with a 12-month term. It gives both sides a bit of stability. There is something wrong with a three-year lock-in, automatic renewals you cannot escape, or vague language about what happens to your data and documentation if you go.
Ask directly: what is the notice period, and what does offboarding involve? A confident provider will hand over passwords, documentation and admin access cleanly, because they expect to keep you on service quality rather than contractual handcuffs.
10. What does onboarding look like?
The first thing a good MSP does is audit and document your environment: every device, account, licence, line and backup. If a provider cannot explain how they will get to know your setup in the first month, they will be flying blind the day you actually need them.
Red flags to walk away from
Long lock-in contracts with punishing exit terms
SLAs that are vague or absent ("we'll get to it as soon as we can")
No named account manager and no scheduled strategic reviews
A helpdesk you can only reach by email, with no phone option
Reluctance to sign a Data Processing Agreement or to evidence security certifications
Headline pricing that turns out to exclude half of what you actually need
Weighing security against price
The cheapest quote is rarely the cheapest provider once you have added the surprise project fees and the cost of downtime from reactive support. You do not need to pay for the most heavily certified provider in the country either. For most SMEs the sensible bar is Cyber Essentials as a minimum, a willingness to sign a DPA, clear SLAs and transparent per-user pricing. Treat the certifications as a pass-or-fail gate first, then compare price among the providers who clear it, not the other way round.
A local provider earns its keep on the days a remote fix is not enough and you need an engineer through the door, which tends to be exactly when downtime is costing you most.
A quick word from us
We are an MSP based in Wokingham, so we will naturally make the case for local support and proper certifications. But put these ten questions to any provider you are considering, us included, and the answers will tell you a lot. If you would like a straight conversation about your current setup, or a second opinion on a quote you have been given, our team is happy to help.